diff options
| -rw-r--r-- | include/linux/audit.h | 3 | ||||
| -rw-r--r-- | security/selinux/selinuxfs.c | 11 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 15 |
3 files changed, 23 insertions, 6 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index fbc21d6267f3..8868c96ca8a2 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -83,6 +83,9 @@ | |||
| 83 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | 83 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ |
| 84 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ | 84 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ |
| 85 | #define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */ | 85 | #define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */ |
| 86 | #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ | ||
| 87 | #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ | ||
| 88 | #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ | ||
| 86 | 89 | ||
| 87 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ | 90 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ |
| 88 | 91 | ||
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index b5fa02d17b1e..5eba6664eac0 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
| @@ -21,6 +21,7 @@ | |||
| 21 | #include <linux/major.h> | 21 | #include <linux/major.h> |
| 22 | #include <linux/seq_file.h> | 22 | #include <linux/seq_file.h> |
| 23 | #include <linux/percpu.h> | 23 | #include <linux/percpu.h> |
| 24 | #include <linux/audit.h> | ||
| 24 | #include <asm/uaccess.h> | 25 | #include <asm/uaccess.h> |
| 25 | #include <asm/semaphore.h> | 26 | #include <asm/semaphore.h> |
| 26 | 27 | ||
| @@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf, | |||
| 126 | length = task_has_security(current, SECURITY__SETENFORCE); | 127 | length = task_has_security(current, SECURITY__SETENFORCE); |
| 127 | if (length) | 128 | if (length) |
| 128 | goto out; | 129 | goto out; |
| 130 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, | ||
| 131 | "enforcing=%d old_enforcing=%d auid=%u", new_value, | ||
| 132 | selinux_enforcing, | ||
| 133 | audit_get_loginuid(current->audit_context)); | ||
| 129 | selinux_enforcing = new_value; | 134 | selinux_enforcing = new_value; |
| 130 | if (selinux_enforcing) | 135 | if (selinux_enforcing) |
| 131 | avc_ss_reset(0); | 136 | avc_ss_reset(0); |
| @@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf, | |||
| 176 | length = selinux_disable(); | 181 | length = selinux_disable(); |
| 177 | if (length < 0) | 182 | if (length < 0) |
| 178 | goto out; | 183 | goto out; |
| 184 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, | ||
| 185 | "selinux=0 auid=%u", | ||
| 186 | audit_get_loginuid(current->audit_context)); | ||
| 179 | } | 187 | } |
| 180 | 188 | ||
| 181 | length = count; | 189 | length = count; |
| @@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf, | |||
| 261 | length = ret; | 269 | length = ret; |
| 262 | else | 270 | else |
| 263 | length = count; | 271 | length = count; |
| 272 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, | ||
| 273 | "policy loaded auid=%u", | ||
| 274 | audit_get_loginuid(current->audit_context)); | ||
| 264 | out: | 275 | out: |
| 265 | up(&sel_sem); | 276 | up(&sel_sem); |
| 266 | vfree(data); | 277 | vfree(data); |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 8a764928ff4b..d877cd16a813 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *values) | |||
| 1758 | goto out; | 1758 | goto out; |
| 1759 | } | 1759 | } |
| 1760 | 1760 | ||
| 1761 | printk(KERN_INFO "security: committed booleans { "); | ||
| 1762 | for (i = 0; i < len; i++) { | 1761 | for (i = 0; i < len; i++) { |
| 1762 | if (!!values[i] != policydb.bool_val_to_struct[i]->state) { | ||
| 1763 | audit_log(current->audit_context, GFP_ATOMIC, | ||
| 1764 | AUDIT_MAC_CONFIG_CHANGE, | ||
| 1765 | "bool=%s val=%d old_val=%d auid=%u", | ||
| 1766 | policydb.p_bool_val_to_name[i], | ||
| 1767 | !!values[i], | ||
| 1768 | policydb.bool_val_to_struct[i]->state, | ||
| 1769 | audit_get_loginuid(current->audit_context)); | ||
| 1770 | } | ||
| 1763 | if (values[i]) { | 1771 | if (values[i]) { |
| 1764 | policydb.bool_val_to_struct[i]->state = 1; | 1772 | policydb.bool_val_to_struct[i]->state = 1; |
| 1765 | } else { | 1773 | } else { |
| 1766 | policydb.bool_val_to_struct[i]->state = 0; | 1774 | policydb.bool_val_to_struct[i]->state = 0; |
| 1767 | } | 1775 | } |
| 1768 | if (i != 0) | ||
| 1769 | printk(", "); | ||
| 1770 | printk("%s:%d", policydb.p_bool_val_to_name[i], | ||
| 1771 | policydb.bool_val_to_struct[i]->state); | ||
| 1772 | } | 1776 | } |
| 1773 | printk(" }\n"); | ||
| 1774 | 1777 | ||
| 1775 | for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { | 1778 | for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { |
| 1776 | rc = evaluate_cond_node(&policydb, cur); | 1779 | rc = evaluate_cond_node(&policydb, cur); |